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(54) Encryption/decryption apparatus 

(57) A pair of a pattern of a mask (a) and a nrask 
pattern c^tatned by bit inversion ot the mask Is prepared 
for each round function (5) \t\ a data scrambler (1 ). Every 
time encryption is to be perfonmed, one mask pattern of 
the pair is randomly selected by a switch (SW12). and 
an exclusive OR (32a) of an input to an S-box (29) and 
the selected mask pattern is calculated. In additbn. an 
exclusive OR (33a) of an output from the S-box (29) and 



bits of inverse permutatkxi p** of the mask (a) is calcu- 
lated. The exclusive ORs (32a, 33a) are calculated in 
advance and stored as a table in the S-box (29). Fur* 
thermore, an exclusive OR (43a) of the output from each 
round function (5) and a mask (b) is calculated and con- 
cealed. The influence of the mask (b) Is removed by cal- 
culating the exclusive OR with the mask (b) again on the 
next round. 
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Description 

[0001] This application is based on Japanese Patent 
Application No. 10-233921. tiled August 20. 1998. the 
contents ol which are incorporated herein by reference, s 
[0002] The present invention relates to an encryption/ 
decryption apparatus and method and, vnofQ particular- 
ly, to an encryption/decryption apparatus and method 
which use secret key block encryptksn and a program 
storage medium therefor. io 
[0003] The DES (Data Encryption Standard) is secret 
key bkxk encryptk>n that has currently been used most 
wkiety, which is described in detail in Jpn. Pat. Appln. 
KOKAJ Publfcatwn No. 51-108701. 
[0004] The DES has been evaluated in various view- is 
points, and decryptk>n methods such as a differential 
decryption method and linear decryption method, which 
are more effective than a key exhaustive search meth- 
od, have been proposed. 

[0005] Note that the differential decryption method is ^ 
diseased in E. Shorn and A. Shamir. 'Differential Cryp- 
tanatysts of DES-fike Cryptosystenrts.* Journal of CBYP- 
TOLOQY, Vol. 4. Number 1, 1991. The linear decryption 
method disclosed in Mitsuru Matsul. 'Linear Decryp- 
tkxi of DES ciphertext (I)'. Encryption and Information 2S 
Security Symposium. SCIS93-dC, 1993. 
[0006] There is a new decryption method based on 
power consumption differences. In this metf^. power 
consumption differences between given bits of data 
(power consumptkjn correspor^ding to bit 0 and power 3o 
consumptk5n corresponding to bit 1) are measured to 
estimate bits. In the case of the DES. for example, an 
input to an S-bcoc and a corresponding output are esti- 
mated on the basis Gf a known ciphertext output and 
estimatkxi of a key. Aflnwff r '"?n?hP rtfffftfftngB that as 
appears when a given one bit Is 0 or 1 , which is eslimat- 
ed on the basis of the output from the S-box, is meas- 
ured to check the validity of estimation, i.e.. the validity 
of estimatk)n of the key. 

[0007] For th is reason, there is a possibility that a DES 40 
ciphertext is decrypted by the above method, and hence 
higher security has been required. 
[0008] at is an ob j ect of the present Briventlon to pro- 
.f^A^ ^r. »>.r.n^i;^//< ^fvption ap paratu^«i and method^ 
whifth make it difficult to perform decn^ption by a tech- ^ 
n lDue based on power consumption differences without 
c hanging the data encryptk>n processing result obtained ^ 
hy n r nnirr ii li i m il ) i i x i ryptirm^rfrrfyntr " ^pp^ 'aius ano_, 
mpthTd, '^"^ =* pf^ram gfnfflqft modium for the appa- 
ratus and method. ^ 
[0009] — rm7rd0f1oachieve the above object, according 
to the first aspect of the present inventkxi, there is pro- 
vided an encryption apparatus for converting a plaintext 
block into a ciphertext block depending on supplied key 
information, comprising nrwans lor randomly selecting ss 
one pattern of each of pairs ai. ai (where ] is a positive 
integer not (ess than one) of one or a plurality of prede- 
termined mask patterns and mask patterns obtained by 



bit inversion of the predetermvied mask patterns every 
time encryption is perfonmed. means for masking bits 
dependent on a plaintext whhin the apparatus with the 
mask pattern selected by the selection means, and 
means for removing an influence of the mask a from a 
ciphertext before the ciphertext is output — — 
[0010] According to the second aspect of the present 
invention, there is provkted an encryption apparatus for 
converting a plaintext block into a ciphertext bkx:k de- 
pending on supplied key information, comprising means 
tor randomly selecting one pattern of each of pairs ai.ii 
(where j is a positive integer not less than one) of one 
or a plurality of predetermined rr^sk patterns ar^ mask 
patterns obtained by bit inversion of the predetermkied 
mask patterns every time encryptk)n is performed, 
means for masking ffitemtedtate bit data within the ap- 
paratus with the mask pattem selected by the selectbn 
means, and means for removing an influence of the 
mask a from the intermediate bit data masked by the 
masking means. 

[0011] According to the third aspect of the present qd- 
vention, there is provided an encryption method of oon* 
verting a plaintext block into a ciphertext bkxk depend- 
ing on supplied key information, comprising the steps of 
randomly selecting one pattem of each of pairs ai. ai 
(where] is a positive integer not less than one) of one 
or a plurality of predetermined mask pattems and mask 
patterns obtained by bit inverskxi of the predetermined 
mask pattems every time encryption is performed, 
masking bits dependent on a plaintext within the method 
with the selected mask pattern, and removing an influ- 
ence of the mask a from a ciphertext before the cipher- 
text is output. 

[0012] According to the fourth aspect of the present 
tnventkMi. there is provided an encryption method of 
converting a plaintext bkxk into a ciphertext bkxk de- 
pending on supplied key information, comprising the 
steps of rartdomly selecting one pattem of each of pairs 
ai,ai (where J is a positrve integer n<^ less than one) of 
one or a plurality of predetermined mask pattens and 
mask pattems obtained by bit inverskxi of the predeter- 
mined mask pattems every time encryption Is per- 
f omned, masking intermediate bit data within the method 
with the selected mask pattem. and removing an influ- 
ence of the mask a from the masked htemrtediala bit 
data. 

[001 3] Accordir^ to the fifth aspect of the present in- 
ventton, there is provided a computer-usable program 
storage medium storing computer-readable program 
code means for converting a plaintext block into a ci- 
phertext block depending on supplied key information, 
comprisong computer-rea^iable program code means for 
causing a computer to randomly select one pattem of 
each of pairs at. a) (where] is a positive integer not less 
than one) of one or a plurality of predetermined mask 
pattems and mask pattems obtained by bit mverskxi of 
the predetermined mask pattems every time encryption 
is performed, computer-reac^le program code means 
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for causing the computer to mask bits dependent on a 
plaintext within the method with the selected mask pat- 
tern, and computer-readable program code means for 
causing the computer to remove an influerrce of the 
mask a from a cipherlext before the ctphertext is output. 5 
[001 4f According to the present invention, original da- 
ta is masked, and the mask is removed immediately be- 
fore it is input to each S-box. When this mask is re- 
moved, there is a possibility that the data may be de- 
crypted by the above technique based on power con* io 
sumption differences. For this reason, according to the 
present Inventon. mask removal processing immedh 
atety before the data is input to each S-box, input oper- 
ation of the original data to each S-box immediately after 
mask removal, and masking operatkvi for the output 
from each S-box are calculated in advance and stored 
as a table, and the cak:ulation resuft is obtained by kx>k- 
tng up the table. For this reason, neither calculation of 
an exclusive OR for mask removal nor caiculatton of an 
exclusive OR for rrasking are performed during encryp- 20 
tton and decryptkyi, the data cannot be decrypted by the 
technk^ue based on power consumption differences. 
[0015] According to the present invention, consisten* 
cy of encryption and decryption is ensured, and security 
against the decryption technk^ue based on power cor>- ^ 
sumption differences can be improved by nrmk^g it dif* 
ficult to decrypt data by the technique based on power 
consumptfon differences. 

[0016] This sunrvnary of the inventbn does not nec- 
essarily describe all necessary features so that the in- 3o 
vention may also be a sub<ombinalbn of these de- 
scribed features. 

[0017] The invention can be moTe fully under stood 
from the folkTwing detailed description when taken in 
conjunctbn with the accompanying drawings, in which: ss 

FIG. 1 is a bkx:k diagram showing the overall ar- 
rangement d a DES algorithm; 
FIG. 2 is a bkx^k diagram showing the arrangennent 
of the round functkxis of the DES; ^ 
Fl G. 3 is a table showing an example of the contents 
of an S-box confonning to a DES standard table; 
FIG. 4 is a block diagram showing an arrangement 
in whk:h masks are added to round functk>ns ac- 
cordtfig to the present invention; ^ 
FIG. 5A is a circuit diagram showing an arrange- 
ment in which a mask is added to the input round 
according to the present inventkm; 
FIG. 5B is a circuit dagram showing an arrange- 
ment in which a mask is added to the fcnat round so 
according to the present invention; 
FIG. 6 is a table showing an expansnn E; 
FIG. 7 is a table showing a penmutatton P; 
FIG. 6 is a view showing a concealed output from 
SI which corresponds to an input (000000, ss 

000001 111111) in the use of a mask a; 

FIG. g is a table a mask a (bit tnver6k)n of a); 
FIG. 10 is a block diagram showing an arrangement 



of a DES algorithm according to an embodiment; 
FIG. 11 is a block diagram showing an arrangerrtent 
obtained by adding masks to the round functions in 
the arrangement in FIG. 10; 
FIG. 12 a block diagram showing the arrange- 
ment of S in FIG. 11; 

FIG. 13 is a bkxk diagram showing another ar- 
rangement of a DES algorithm according to an em- 
bodiment, 

FIG . 1 4 is a block diagram showing an arrangement 
obtained by adding masks to the round functk>ns in 
the an^gement in FIG. 13; 
FIG. 1 5 j|s a block diagram showing the arrange- 
ment of Sin RG. 14; 

FIG. 16 is a block diagram showing the arrange- 
ment of a key scheduler of a DES algorithm; 
FIG. 17isabkckdiagramshowinganarrangement 
in which a mask is added to the key scheduler ac- 
cording to the present inventbn; 
FIG. 18 is a bk)ck diagram showing an arrangement 
in which the rrask added to the key scheduler is 
added to each round functksn according to the 
present invention; 

FIG. 1 g is a fk)W chart showing the flow of process- 
ing tn an encryption method acoOTding to an embod- 
iment, which includes the step of masking bits de- 
pendent on a plaintext with selected mask patterns 
and the step of rennoving the influence of the masks 
described above from the ciphertext before it is out- 
put; 

FIG . 20 is a fk>w chart showing the flow of process- 
ing in an encryption method according to an embod- 
iment; 

FIG. 21 is a fkaw chart showing the fk>w of process- 
ing in an encryption method according to an emtxid- 
iment whk:h includes the step of removing the in- 
fluertce of masks from intermediate bit data during 
an encryption procedure and the step of masking 
the data with nnask patterns: 
FIG. 22 is afk>wchan associated with an encryption 
procedure according to an embodiment of the 
present invention; and 

FIG, 23 is a bkx^k diagram showing the arrange- 
ment of an IC card that tmptements the encryption/ 
decryptkxi method, and program storage medium 
therefor according to the present inventkxi de- 
scribed above. 

[001 8] An amtxxf iment of the present invent bn will be 
descrQ>ed below with reference to the views of tt\e ac- 
companying drawing. 

[001 9] FIG . 1 shows an arrangement of an erwryption 
algorithm DES to which the present inventon is applied. 
This arrangement is comprised of a data scrambler 1 
including 1st to 16th rounds for scrambling a plaintext 
(64 bits) 3 depending on an extematty input key 8 and 
outputting a coresponding ciphertext and a key sched- 
uler 2 for expanding key inf ormatbn k Into an interme- 
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diate key to be supplied to the data scrambler 1. 
[0020] Referring to FIG. 1 . the ptalntext (64 bits) 3 is 
subjected to an initial permutation IP 4 first, and then 
divided into two equal halves. The left 3S-bit data and 
right 32-bit data of the two equal halves are respectively 
input to a round function 5. The slnjcture of the round 
function will be described later. The left d2-bit data and 
right 32-bit data output from the rouruJ hjnction are in* 
terchanged and input to the next round function. 
[0021] After these data are processed by the 1 6 round 
f uncticms. a ciphertext 7 is output by a final permutation 
IP-i 6. 

[0022] FIG. 2 is a block diagram showing the details 
of the round function 5 fri FIG. 1 . A round function 17 is 
constituted by a permutation Ell, exclusive OR 1 3, S- 
boxes 14. penmutation P 15, and exclusive OR 16. 
[0023] The right 32-bit data is extended into 4d-bit da- 
ta by the permutation Ell. The resultant data is output 
to the exclusive OR 13. The exclusive OR 13 outputs 
the exclusive OR of the output from the permutation E 
1 1 and an extended key 1 2. The 48-brt data output from 
the exclusive OR 13 is equally divided into 6-bit data. 
Each 6-bit data is input to a corresponding one of the S- 
boxes 14. In this embodiment, each S-bcx is fonned 
from a table, and outputs 4-bit data with respect to a 
64-entry 6-bit input. According to SI based on the DES. 
if the left and right ends of a 6-btt input are respectrvety 
regarded as the first and sixth bits, a row in a table of 
the S-box in FIG. 3 is designated by the first and sixth 
bits regarded as binary nunnbers. Note that the row num- 
bers in the table of the S-box shown in FIG. 3 are count- 
ed from above as the 0th. 1 st, 2nd, and 3rd rows. A col- 
umn number is then designated by the four ren^ining 
bits regarded as a binary number The column numbers 
are also counted from the left end as the 0th 1st. 2nd. 

3rd 15th columns. If, for example. 011011 Is input to 

SI . the row number is 01 . That is, the second row from 
above is designated. Since the column number is 
01101. i.e.. 13 (14th column from left), the value in the 
table is 15. Therefore. SI outputs this value in binary 
notation, i.e.. 0101. Referringto FIG. 3, each output from 
the S-box is designated by a rowand column. In general, 
however, such an S-box is formed as a table corre- 
sponding to inputs ranging from 0 to 63. The 32-bit data 
obtained by combining outputs from the respective S- 
boxes is subjected to bit permutation operatkm by the 
pennnutalion P 1 5. The resultant data is output to the ex- 
clusive OR 16. The exclusive OR 16 outputs the exclu- 
sive OR of the left 32-bit data and the output from the 
permutation P 15. 

[0024] FIG. 4 is a circuit diagram showing the details 
of the round function 5 in FIG. 4 and the round function 
17 in FIG. 2. FIG. 5 A shows an arrangement for an input 
to the first round function. FIG. SB shows an arrange- 
ment for an output from the 16th round function. 
[0025] An embodiment of the present invention will be 
described in detail betow with reference to RGS. 4. 5A. 
and5B. 



[0026] Referring to FIG. 4. reference symbols a and 
b respectively dervote 32-bit masks; and a, Version of 
all bits. In a round function 35 in FIG. 4. an exclusive 
OR 25 calculates the exclusive OR of the right 32-bit 

5 data and an output from a switch SW23 and outputs it 
to an expansion E 26. An output from the expansion E 
26 is exdusfve-ORed with an extended key Ki by an ex- 
clusive OR 27. The resultant data is output to a switch 
SW12. The switch SW12 causes the data to branch in 

10 accordartce with a random number sequence Rij. If Rij 
is 0. the switch SW1 2 causes the data to branch to the 
0 side. If Rij Is 1. the switch SW12 causes the data to 
branch to the 1 side. 

[0027] FIG. 4 shows the arrangement of each S-box 
?5 after branching at the switch SWI 2. An S-box 2g corre- 
sponds to SI to S8 based on the DES. 
[0028] When the switch SWI 2 causes data to branch 
to the 0 side, the process hdicated by a dashed lirm 34a 
is perfonmed More specifically, an exclusive OR 32a 
20 calculates the exclusive OR of the output from the ex- 
clusive OR 27 and six bits (E(a)) of the result obtained 
by performhg the expansbn E for the mask a which cor- 
responds to an input of the S-box. and outputs the re- 
sultant data to the S-box 29. The S-box 29 outputs the 
^ result obtained by looking up the table of the S-box to 
an exclusive OR 33a 

[0029] The exclusive OR 33a calculates the exclusive 
OR of bits d pri(a) as the result obtained by performing 
inverse permutation p'^ for the mask a and the output 
30 from the S-box 29. and outputs the resultant data to the 
switch SW1 1. 

[0030] When the switch SWI 2 causes the data to 
branch to the 1 side, the process indicated by a cashed 
Dne 34b is performed. More spec'rfKally. an exclusive 

3S OR 32b cak;ulates the exclusive OR of the output from 
the exclusive OR 27 and bits of the result obtained by 
performing the expansion E for the n^sk a which cor- 
responds to an input of the S-box. and outputs the re- 
sultant data to the S-box 29. The S-box 29 kx>ks up the 

40 table of the corresponding S-box art6 outputs the result- 
ant data to the exclude OR 33b. 
[0031] The exclusive OR 33b catoutates the exclusive 
OR of four bits of p'^(a) as the result obtained by per- 
forming inverse penmutation pri of a permutatkx) P(30) 

45 for the mask a which conesponds to an output from the 
S-box and the output from the S-box 29, and outputs the 
resultant data to the switch SW11 . 
{0032] Note that the processes indbated by the 
dashed tines 34a and 34b must not be performed during 

so encryption and decrypVton. This is because, even if data 
is coricealed with the atxsve mask, since input/ output 
operation of the S-box 29 is not concealed, decryption 
may be attempted by using power consumption differ- 
ences in S-box processing. 

55 [0033] In this embodiment of the present invention, 
the results of the processes indicated by the dashed 
lines 34a and 34b are obtained first by pre-calculatkxi 
performed before encryption and decryption, and en- 
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ciyption processing and decryption processing are then 
performed. For example, a table in which the index of 
each input to each S-box and a corresponding output 
are rewritten is prepared for each S-box. and is used for 
encryption and decryption. In this case, a table of an S- 
box corresporrdtng to the mask a and a table of an 
box corresponding to the mask i are prepared. For ex- 
ample, the following is the result obtained by calculating 
the process block 34a in FIQ. 4 using the mask a. As- 
sume that the mask a is (0110 1111. 1100 101o"oi10 
1 1 00 1 1 00 00 1 1 ). The expansion E is expressed by the 
table shown in FIG. 6. In the table shown tn FIG. 6. the 

respective rows correspond to inputs to SI . S2 88 

from above. In addftion. the first bit on the left end of 
each column corresponds to the first bit of an tnput to a 
corresponding S-box. Each number in the table repre- 
sents the Xlh bit of a corresponding input to the expan- 
sion E. That is, the input to SI includes the 32nd. 1st. 
2nd, 3rd. 4th, and 5th bits of the input to E. With the 
above mask a. therefore, a bit mask (a) corresporrding 
to the input to SI is (101101). FIG. 7 shows a table of 
the permutation P. Fieferringto FIG. 7. the numbers se- 
quentially correspond to the first to 32nd bits of the out- 
put from P from the left (the first and second rows are 
contiguous). Each term represents the )Qh bit of an in- 
put That is. the first bit of the output from pemiutation 
P is the 1 6th bit of the input. The bits corresponding to 
SI are the 1 st. 2nd. 3rd, and 4th bits of the input to the 
permutatkx) P. and hence respectrvely corre^ond to 
the 9th, 17th. 23rd, and 31st bits of the output from R 
Since a nrtask corresponding to the output from Si is pr^ 
(a), i.e.. the output from P is a, the 9th, 17th. 23rd. and 
31st bits of the mask a become p'^(a). The mask corre- 
sponding to the output from SI Is therefore (1 001 ). With 
the above mask a. therefore, a bit mask E(a) corre- 
sponding to the input to SI is (101101). and a bit mask 
p-^ (a) corresponding to the output from SI is (1 001 ). Ac- 
cording to theactually formed table corresponding to the 
mask a, the output from SI ts calculated by using the 
result of the exclusive OR of the input and the bit mask 
E(a) as the input to SI. and an output from the table is 
obtained by adding the bit mask p-' (a) to the output from 
SI by exclusive OB. FIG. 8 shows an output (corre- 
sponding to an input of 0 to 63) of concealed SI when 

the input corresponds to (000000. 000001 111111). 

in the case of the above mask a. FIG. 9 shows a table 
of the mask a (bit inversion of 8^. 
[0034] The outputs from the respective process 
blocks indicated by the dashed lines 34a and 34b are 
permutated by a permutation P 30. The resultant data 
is output to an exclusive OR 31 . The exclusive OR 31 
cateulates the exclusive OR ol the left 32-bit data and 
the output from the pennutatk)n P 30. An exclusive OR 
24 calculates the exclusive OR of the right 32-b(t data 
and the output from the switch SW1 3 to obtain new right 
32-bit data 

[0035] Referring to FIG. 5A. the result obtained 
permutating the plaintext (64 bits) by biitiat permutation 



IP 41a is divided into equal halves. i.e.. right 32^it data 
and left 32-bit data An exclusive OR 44a calculates the 
exclusive OR of the left 32-bit data and an output from 
a switch SW21. The output from this exclusive OR 44a 

s becomes the left 32-bit data of an input of the first round 
function. An exclusive OR 42a calculates the exclusive 
OR of the right 32-blt data and an output from a switch 
SW14. An exclusive OR 43a calculates the exclusive 
OR of the output from the exclusive OR 42a and an out- 

10 put from a switch SW22. 

[0036] The output from the exclusive OR 43a be- 
comes the right 32-bit data of an Input of the first round 
function. In the case shown in FIG. 5A. the sequence of 
the exclusive ORs 42a and 43a may be interchanged tn 

IS accordance with the characteristics of the exclusive 
ORs. 

[0037] Referring to FIG. 5B. the result obtained by 
permutating the plaintext (64 bits) by initial permutation 
IP 41a Is divkted into equal halves, le., right 32-bit data 

so and left 32-bit data An exclusive OR 44b catoulates the 
exclusive OR of the left 32-bft data and the output from 
the switch SW21. This eliminates the influence of the 
mask in the exclusive OR 43a in FIG. 5A. The output 
from the exclusive OR 44b is input to a final permutation 

2S ip-i 41 b. An exclusive OR 42b calculates the exclusive 
OR of the right 32-b(t data and the output from the switch 
SW14. An exclusive OR 43b cateulates the exclusive 
OR of the output from the exclusive OR 42b and the out- 
put from switch SW22. This eliminates the Influence of 

30 the mask in the exclusive OR 44a in FIG. 5A, The output 
from the exclusive OR 43b is fftput to the final pemiuta- 
tkx> IP"^ 41b. Referring to FIG. 58. the sequence of the 
exclusive ORs 42b and 43b may be interchanged in ac- 
cordance with the characteristics of the exclusive ORs. 

3S [0O38] The characteristics of the arrangement shown 
in FIGS. 4. 5A and 5^ will be described betow. 
[0039] The exclusive ORs 44a. 42a. and 43a conceal 
data by using masks such as the masks a and b. Wrth 
this operation. In the data scrambler, it is difficult to ob- 

40 senm the left 32-b(t data and right 32-bit data from the 
outside worid. If, however, data is concealed by using 
the above masks, inputs to the respective S-boxes 14 
in FIG. 2 cfiffer from the original plaintext data, and hence 
outputs from the S-boxes differ. Therefore, the output 

45 ciphertext does not correspond to the original plaintext 
data. 

[0040] In order to solve the above problem, m each 
round f unctkxi. the exclusive OR 25 in FIG. 4 calculates 
the exclusive OR of the mask b or mask &. This elimi- 

so nates the inftueru^e of concealment using the nrtask b or 
B added in FIG. 5A. If the switch SW1 2 causes the data 
to branch to the 0 skJe. the exclusive OR 32a eliminates 
the influence of concealment using the mask a in FIG. 
5A. That is. the Input to S^ becomes the same as the 

ss original plaintext input The output from S29 is con- 
cealed again by the exclusive OR 33a using the mask 
a. In this case, the process block 34a is performed in 
advance by kx>king up the table, no significant changes 
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in power consunrtption data directty associated with the 
input/output operation of S29 can be observed from the 
outside world. 

[0041] The exclusiva OR 24 in FIG. 4 temporanly 
eliminates the influence of the mask a or a on the right 
32-bit data. However, the ri^t 32-bit data is still con* 
cealed by the mask b or 5» and hence security is en- 
sured. The right 32-bit data becomes left 32-bit data on 
the next round. The exclusive OR 31 cateulates the ex- 
clusive OR of the left 32^it data and the output from 
permutatk>n P30. As a consequence, the data is con- 
cealed by the mask a (or a) and mask b (or &) and bo- 
comes a right input on the next round. As described 
above, therefore, oonsistency among the respective S- 
boxes is n^atntained in terms ot DES for translation. 
[0042] At the output of the final round, to eliminate the 
influence cH each mask on concealment in FIG. 5A, the 
exclusive OR using each mask In FIG. 5B is performed. 
[0043] The switches SW11.SW12.SW13. and SW14 
are controlled by a random number sequence (R1 i}. The 
switches SW21. SW22, and SW23 are controlled by a 
random number sequence {R2i). For example, each 
switch selects a branch to the 0 side when Rji - 0. and 
selects a branch to the 1 side when Rjl = 1 . The random 
number sequences {Rli} and {R2i} for controlling the 
switches are characterized by being dianged for each 
of encryptkxi and decryption processes for the respec- 
tive blocks. For example^ in a given encryption process, 
all the switches SW11. SW12. SW13.andSW14onthe 
respective rounds perform processing on the 0 side. In 
another encryptksn process, all the switches SW11, 
SW12. SW1d. and SW14 on the respective round per- 
form processing on the 1 skle. 
[0044] If there is a clear relationshtp of dependence 
between the random number sequences (R1I) and 
(F^i). an attacker has a clue to the estimation of the 
masks a and b. random number sequences having no 
clear retatiortship of dependence are used as the ran- 
dom number sequences {R1 i} and {R2i). Ideally, the use 
of two random number sequences which are statistically 
independent is recommended. In practk». howevei; 
even if there is a statistk:al dependence relatkx)ship. this 
technique is effective as a measure against decryptnn 
based on power consunrtptk>n diff ererices, as lorfg as the 
influence is sufficiently snrall. Two m sequence genera- 
tors may be prepared as means for implementing the 
present invention, and outputs from the first and second 
m sequence generators may be respectively set to [Rlfl 
and {R2j}. If the period of an m sequence is sufficiently 
long and the sequence lengths of the two m sequence 
generators, corresponding convention polynomials, and 
part or aD of initial values are n^ade to differ from each 
other, the above condition can be sufficiently satisfied. 
As another means for Implementing random number se- 
quences, one m sequence generator may be prepared 
to generate two bits (or each encryptkyt or decryption 
process. The first and second bits are respectively used 
as {Rljl and {R2j). 



[0045] Although the m sequence generators are pre- 
sented as practical examples in this case, any random 
number sequence generator can be used as k>ng as se- 
curity in practk:e can be ensured. Note that these ran- 

5 dom number sequences must be intplemented so as not 
to be estimated from the outside worid. According to stiil 
another implementation means, random number se- 
quences nr^ay be stored in a memory in advance to be 
sequentially referred to. Note that these random number 

10 sequences must be implemented so as not to be esti- 
mated from the outside worid. 
[0046] Referring to FIGS. 4, 5A. and 5B. the number 
of Is of a bh sequeru:e. i.e.. a Hamming weight, is de- 
fined as H(a). In decryption using the technique based 

IS on power consumption differences, power consumption 
differences \n a data encryption process are observed 
to acquire informatkyi about an encryption key. The con- 
cealment ot data using the above masks makes it diffi- 
cult to bring power consumption measurement from the 

20 outside worid into correspondence with processed data 
If. however, the Hamming weights of masks differ from 
each cdher. only data u^ng only the masks a and b may 
be extracted In acoordarice with measurement of a plu* 
raBty of encryptnn data and statistical information. If. 

2S only such data can be extracted, a key can be extracted 
as in the prior art by using the decryptnn technique 
based on power consumption differences. Since the 
currently used mask can be discriminated as the mask 
aof a In this nr^ner. satisfactory countermeasurescan- 

30 ncAbe taken, if, for example, the Hamming weights erf 
the masks a and a or masks b and 5 are set to be equal. 
It is difficult to discriminate the masks by measurenrient 
from the outside worid, thus ensurrig security. If. how- 
ever, the bit weights of the masks are offset, the security 

35 greatly deteriorates. 

[t)047] Refening to FIGS. 4. 5A, and SB, if, therefore, 
masks that satisfy H(a) = H(a) = H(b) = H{B) = n/2 = 16 
are selected (the Hamming weights of the masks are 
equal to each other), high security ts ensured. In this 

40 case, since a bit count n of each of the masks a and b 
is 32. a mask value of 16 is preferably used as the bit 
weight of each of the masks a and b and the bit fnver- 
skxis of the masks a and b. Ideally, as descrft>ed above, 
a mask having a Hamming weight corresponding to half 

45 of the bit length of the mask is preferably used. However, 
the same effect as descrft>ed above can be obtained by 
using two masks having almost the same Hamming 
weight In other words, if the Hanvning weight ffuJicating 
the number <^ bits 1 an n-bit long bit sequence x is 

so defined as H the Hamming weight H(a) of the mask 
a satisfies 0 < H(a) < n. Alternatively, the absolute value 
of the difference between the Hamming weight H(a) of 
the mask a and the Hamming weight H(i) of the bit in- 
version a of the mask a is less than n/2. 

ss [0048] That is, if the Hamming weights <rf the respec- 
tive masks are not extremely offset, it is not easy to cfis- 
criminate the masks by measurement from the outside 
workl. Therefore, the effect of a countenneasure against 
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the technique based on power consumption diflerences 
can be obtained, 

[0049] Consider the characteristics of the expansion 
E 26 based on the DES tn FIG. 4. For the same reason 
as that forthe selection of a mask value in consideration 
of Hammffig weights, masks whose Hamming weights 
E(a) and E(a ) applied to the exclusive ORs 32a and 32b 
are equal to each other are selected. That is. masks sat- 
isfying H{E{a)) = H(E(i)) are selected. 
[0050] When the above mask condition is applied to 
the implomentalion of the DES, (or example, it is re- 
quired that both the number ofls of the first bits" {the 
bits on the left ends) of the respective 4-bit blocks of the 
mask a and the number of 1 s of the fourth bits* (the bits 
on the right ends) of the respective 4-bit bkxks of the 
mask a are 4 each. That ts. this embodiment is charac- 
terized by selecting the masks a and b that satisfy the 
above condition. As mask value that satisfy the above 
conditk)n, 

(1 OCX)001 1 1 1 1 01 1 01 1 1 1 001 01 GDI 00001 )2. 
(11011010011001010011010110001010)2. andtheUke 
can be used. 

[0051] Ideally, the use of mask values that satisfy the 
above cond(tk)n is recommended However, a stmitar ef- 
fect can be obtained if f he number of 1 s of the first bits" 
of the re^ective 4-bft blocks ol the mask a* and fhe 
number of Is of the fourth tms* of the respective 4-bit 
blocks of the mask a' are not extremely offset. 
[0052] In usingthemask valuestf^tsalisfy theabove 
conditkxi, when there is no clear correspondence be- 
tween the random number sequences {R1 {} and {R2]} 
for controlling the switches, even ifthe same maskvalue 
ts used for the rrwsks a and b, effective countermeas- 
ures can be taken against decryptbn using the tech- 
nique based on power cor^sumption differences. 
10OS3] The DES arrangement shown in RG. 1 is most 
widely known. However, DES arrangement methods 
having undergone varkMis equivalent modifications to 
attain an increase in processing speed have been 
known. 

[0054] Modificatbns in which the present inventkm is 
applied to the DES will be described bek)w. 
[0055] FIG. 10 shows an equivalent modrficatkxi of 
the DES. tn the implementation of the DES in FIG. 10, 
in order to improve the processing efficiency, the per* 
mutation E 11 and the penmutatbn P 15 are integrated 
into one permutation and processed as an EP 53. The 
output obtained by permutating an input plaintext 58 by 
an initial permutation IP 57 is divided into equal halves. 
The right 32-bit data is input to an expansion E 51 a, and 
the left 32-bit data is input to an expansion E 51b. The 
48 bits output from the expanson E 51 a are the right 48 
bits an input to the first round. The 48 bits output from 
the expanskan E 51b are the left 48 bits of an input to 
the first round. An exclusive OR 55 cabutetes the ex- 
clusive OR of the right 48 bits of the input and an ex- 
tended key K1 , and outputs the resultant data to an S- 
bcx 54. The S-bcx 54 outputs a corresponding output 



to the EP 53 by looking up the table. The EP 53 permu- 
tates the input and outputs the resultant data to an ex- 
clusive OR 56. The exclusive OR 56 cak;ulates the ex- 
clusive OR of the left 48 bits output from the expanskxi 

5 E 51a and the output from the EP 53. The resultant data 
becomes the right 48 bits of an input to the next round. 
The above processing on the first round is repeated up 
to the 1 6th round. The right 48 bits output from the 1 6th 
round are input to a contractkxi pemnutatton E-^ 52a, 

10 and the left 48 bits are input to a contraction permutatk>n 
E-^ 52b. The respective 32-bit outputs are input to a final 
p6rmutatk)n IP^^ 59. As a consequence, a 64-bit cipher- 
text 60 is output. 

[0056] A method of preventing decryptkxi using the 
technx^ue based on power consumption differences by 
applying the present invention to such a modified DES 
will be descrbed below. 

[0057] FIG. 11 shows an embodiment of the tntple- 
mentation of the DES in FIG. 10 according to the present 
20 inventk)n. Referring to FIG. 11, •E(a)^E(a)' indicates 
how the switch SW23 applies a mask based on an ex- 
clusive OR That is, *E(a)^(a)* indicates the mask E(a) 
orE(a). 

[0050] FIG. 11 shows an embodiment whk:h indicates 
2S that the present invention shown in FIGS. 4, 5A, arid SB 
can be applied to the implementation of the DES in FIG. 
10- 

[0059] The output obtained by performing an initial 
permutation for an Input plaintext is divtied into two 

30 equal halves. The right 32-bit data is input to an expan- 
sk>n E 61 a, and the left 32-bit data is input to an expan- 
sk)n E 61b. An exclusive OR 64 calculates the exclusive 
OR of the 4d-bit data output from the expanskm E 61a 
and the mask E(a)/E(a) and outputs the resultant data 

3S to an exclusive OR 65. The exclusive OR 65 cateulates 
the exclusive OR of the output from the exclusive OR 
64 and the mask E(b)/E(b) to obtain the ri^t 48 bits of 
an input to the first round. Note that the sequence ol the 
exclusive ORs 64 and 65 may be interchanged depend- 

40 ing on the characteristk:s of the exclusive ORs. 

[D060] An exclusive OR 69 cateulates the exclusive 
OR of the 4d-bit data output from the expansion E 61b 
and the mask E(b)^^) to obtain the left 48 bits of an 
input to the first round. 

45 [00S1] An exclusive OR 66 cafeulates the exclusive 
OR of the right 48 bits of the input and the mask E(a)/E 
(a) to obtain the left 48 bits of an input to the rtext rourtd. 
An exclusive OR 67 cafculates the exclusive OR of the 
right 48 bits of the input and fhe E(b)/E(b) and outputs 

so the resultant data to an exclusive OR 68. The exclusive 
OR 68 cateutates the exclusive OR of the output from 
the exdush^e OR 67 and tj^e extended key K1 and out- 
puts the resultant data tjp S 62 ('^* tndk:ates exponenti- 
ation). The sj^ure of S 62 will be described later. The 

S5 , output from S 62 is permuted by an EP 63 and output 
to an exclusive OR 70. 

P062] The shift register 70 catoulates the exclusive 
OR of the left 48 bits of the ffiput data and the output 
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from the EP 63 to obtain the right 48 bits of an input to 
the next round. The processing on the first round is re- 
peated up to the 16th round. The output from the final 
round is subjected to processing reverse to that for the 
input to the first round. More spectficatly. the right 46 bits 
are subjected to the exclusive OR 65, exclusive OR 64, 
and contraction pernrtutation E-^ . whereas the left 48 bits 
are subjected to the exclusive OR 65 and contraction 
permutation E-^ . The resultant two 32*bit data are output 
to the final permutation. ^ 
[0063] FIQ. 12 shows the structure of S 62 in FIG. 11 . 
[00641 Roterring to FIG. 12. a = E{a) and a = E(a). 
An excli^sive OR 71 calculates the exclusive OR of an 
input to S 62 and a mask a or a and inputs the resultant 
data to an S-box 72. An exclusive OR 73 calculates the 
exclusive OR of the output from the S-box 72 and ^ 
mask p'^E-'*{a) or p*^E-^(a) to obtain an output from 8 

6^ 

[0065] That is. a block 74 in FIG. 12 corresponds to 
the process bkx;ks 34a and 34b including the switches 
SW1 2 and SW1 1 in FIG. 4. Note, however, that the proc- 
ess in the block 74 must not be performed during en- 
cryptk>n and decryption. This is because, even if data is 
concealed with the above mask, since input/output op- 
eration of the S-box 72 is not concealed, decryption may 
be attempted by using power consumptton differences 
in S-box processing. 

[0066] The embodiment of the present inventfon is 
characterized in that the result of the process in the 
block 74 ts obtained first by calculatton performed in ad- 
vance before encryption and decryption, and are then 
used for encryption processing and deciyptwn process- 
ing. For example, a table in whk:h the index of each enput 
to each S-box and a corresponding outp^ are rewritten 
is prepared for each S-box and used as S for encryption 
processing and decryption processing. In thj^ case, an 
S table con-esponding to the mask a and an S table cor- 
responding to the mask a are prepared in each S-box. 
[0067] Fl G. 1 3 shows another equivalent nKxiiftcation 
of the DES. 

[00681 In the implementation the DES in FIG. 13. 
in order to improve the processing eff teiency, the expan- 
sion E 11 and pemnutatkm P 15 are integrated into one 
permutation and processed as an EP 83. The output ob- 
tained by penmutating an input plaintext 88 by an initial 
permutation IP 87 is divkled into two equal halves. The 
rig^t 32-bit data is input to a permutation pr^ 81a, and 
the left 32-blt data is input to a permutation p-^ 81b. The 
32 bits output from the permutatk)n p'^ 81 b are the right 
32 bits of an Input to the first round. The 32 bits output 
from the pemriutatkxi p-^ 81b are the left 32 bits of an 
input to the first round. The right 32 bits of the input are 
input to the EP 83, and the resultant data obtained by 
performing an expansion for the input is output to an ex- 
clusive OR 85. The excilatk)n reconstructkxi section 85 
calculates the exclusive OR of the data and the extend- 
ed key K1 and outputs the resultant d^ta to an S-box 
84. The S-box 84 outputs a corresponding output to an 



exclush^e OR 66 by kx>klng up the table. The exclusive 
OR 86 calculates the exclusive OR of the left 32 bits 
output from the expansion E 81b and the output from 
the S-box 84 to obtain the right 32 bits of an input to the 
s next round. The processir>g on the first state is repeated 
up to the 16th round. 

[0069] At the output of the 16th state, the right 32 bits 
are input a permutatkxi P 82a, and the left 32 bits are 
input to a permutation P 82b. The respective 32-bit data 

10 are input to a final permutation IP-^ 89. As a conse- 
quence, a 64-bit ctphertext 90 is output A method of 
preventing decryptkxi using the technique based on 
power consumption differences by applying the present 
invention to such a modification of the DES will be de- 

is scribed bek>w. 

[0070] FIG. 14 shows an embodiment of the equiva- 
lent modification of the DES in FIG. 13 according to the 
present inventkxi. 

[0071] Refemng to FIG. 14, VMaVP'Ma)" indicates 
20 how the switch SW23 applies a ma^ based on an ex- 
clusive OR. That is. VMaVP'Ua)' indicates a mask p*^ 
^ {a)orp-i{i). 

[0072] FIG. 1 4 shows an embodiment which indk:ates 
that the present invention shown in FIGS. 4. 5A. and 5B 
2S can be appHed to the implementation of the DES in FIG. 
13. 

[0073] The output obtained by performing an initial 
permutation for an input plaintext is divided into two 
equal halves. The right side 32-bit data is input to a per- 

30 mutalkxi p'^ 91 a, and the left 32-bft data is input to a 
permutation p'^ 91b. An exclusive OR 94 calculates the 
exclusive OR of the 32 bits output from the pemnutatkx) 
p'^ 91a and p'^(a)/p'^(a) and outputs the resultant data 
to an exclusive OR 95. The inverter circuit 95 calculates 

35 the exclusive OR of the output from the exclusive OR 
94 and the mask pri(a)/p*Ha) to obtain the right 32 bits 
of an input to the first round. Note that the sequence of 
the exclusive ORs 94 and 95 may be interchanged de- 
pending on the characteristics of the exclusive ORs. 

40 [0074] An exclusive OR 96 cafeulates the exclusive 
OR of the ri^t 32 bits of the input and the mask pr^(a) 
/p-^a) to obtann the left 34 bits of an mpuX to the next 
round. An exclusive OR 97 cak:utates the exclusive OR 
of the right 32 bits of the input and the mask pr^(b)/p"i 

4S (E) and outputs the resuttant data to an EP 93. The 
4d-b[t output obtained by expansion at the EP 93 is out- 
put to an exclusive OR 98 to be exdusive-ORed^with 
the enlarge key t^l . The resultant data is output to S 92. 
The sj^nicture of S 92 wilt be described later. The output 

so from S 92 is output to an exclusive OR 1 00 to be exclu- 
siveORed with the left 32 bits of the input data so as to 
obtain the ri^t 32 bits of an input to the next round. The 
above processing on the first state is repeated up to the 
16th round. 

pOTSl The output from the final rourui is subjected to 
processing reverse to that for the input to the first rouru). 
More specifically, the rig(ht 32 bits are subjected to the 
exclusive OR 05, exclusive OR 94. and permutatksn P. 
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whereas the left 32 bits are subjected to the exclusive 
OR 95 and permutation P. TTte resultant two 32-brt data 
are output to the final permutation. ^ 
[OOrq FIG. 1 5 shows the slrucmire of S 92 b) FIG. 14. 
[00771 Referring to RG. 15. a = p'^{a)anda =p-Ma). 
An exclijsive OR 101 calculates the exclusive OR of an 
Input to S 92 and a nnask a or a and inputs the resultant 
datatoanS-box102. 

[007S] An exclusive OR 1 03 calculates the exctusive 
OR of the output f ronrt the S-box 102 and ^mask p'^E-^ 
(a) or p*^E-Ma ) to obtain an output from S 92. That is, 
abtock104inFIG. 15 corresponds to the process blocks 
34a and 34b including the switches SW12 and SW11 in 
FIG. 4. Note, however, that the process in the block 1 04 
must not be performed during encryption and decryp- 
tion. TTits is because, even if data is conceated with the 
above mask, since input/output operatkxi of the S-box 
102 is not concealed, decryption way be attempted by 
using power consumptk^n differeru;es in S-box process- 
ing. The embodiment of the present invention Is char- 
acterized in that the result of the process in the b\ock 
104 is obtained first by calculation performed in advance 
before encryptkm and decryptksn, and are then used for 
encryption processing and decryption processing. For 
example, a table in which the index of each ir>put to each 
$-tx>x and a corresponding output are^rewritten Is pre- 
pared for each S-box and used as S for erK:ryption 
processing and decryptior^processing. 
[0079] In this^case, an S table corresponding to the 
mask a and an S table corresponding to the mask a are 
prepared in each S-box. 

[0080] An embodiment in whk^ the present invention 
is applied to a key scheduler wilt be described next with 
reference FIGS. 16, 17, and 18. 
[0081 ] A mask pattern c for masking a bit pattern K of 
a true key and a bit inversion pattern c are prepared. 
Let Kc be the value obtained by converting K with c by 
using designated dyadic operation, and Kc be the value 
obtained by converting K with c by using the same dy- 
adic operation. The values Kc ar^ Kc are stored tn the 
nrmmory m advarwie. Every time encryptkjn or decryp- 
tion is executed, one of the values Kc and Kc is random- 
ly selected and processed h the same manner as the 
true key. The resultant data is applied to a ptaintext by 
the above dyadic operatbn, and inversion of the dyadic 
operation is performed to remove the influence of the 
pattern c or c fn^ the output obtabied by the dyadic 
operation. A case wherein the present lnventk)n Is ap- 
plied to a DES scheme as an encryption scheme using 
exclusive OR operatksn as dyadic operation will be de- 
scribed first. First of all, two masked keys Kc and Kc are 
prepared: 

Kc = K(+)c 



Kc = K(+) c 



where (+) represents an exclusive OR for each bit 
[0082] Prior to encrypt»n or deciyptkxi, one of the 
keys Kc and Kc is randomly selected, and a key sched- 
ule process of the DES is performed to sequentiaOy gen* 

s erate 16 extended keys. The 15 keys extended from Kc 
are expressed by Kci (i = 1 , .... 1 6). and the keys extend- 
ed from Kc are expressed by Kci (i= 1. .... 16). The keys 
extended from Kc are influenced by the mask c, and the 
keys exterKied from Kc are influenced by the nnask c. 

10 This influence is determined by the key schedule proc- 
ess of the DES. In this case, however, the keys extended 
from the true key K. which Is ncd masked, according to 
a key schedule are expressed by Ki (i = 1, .... 16), the 
exclusive OR of Ki and Kci is expressed by ci. and the 
exctusive OR of Ki and Kci is expressed by a . That is, 
ci = Ki{+)Kci5 = Ki WKci 

[0083] In the DES, each extended key Ki is applied to 
a message by an exctusive OR for each bit immediately 
after the expansion E tn the present inventbn, Kci or 

20 Kci is applied \n place of KL When Kci is applied, its 
Grtftuence is removed by applying 3 by exclusive OR op- 
eration after the application of Kci. When ^i is applied, 
ds influence is removed by applying ci by exclush^e OR 
operatk)n after the application cS Kci. The values ci and 

2S a are obtanned by enlarging c and c according to the 
key schedule of the DES in the same nnanner as extend- 
ed keys. The value ci or ci may be generated from the 
mask core selected every time encryption or decryptkxi 
is performed However, the method of calculating ci and 

30 ci in advance Is the method that can suppress the leak- 
age of information most against observation from the 
outskie worki. In this case, two sets of 16 48-b*rt nr^asks, 
Le.. a total of 1 ,536 bits, are prepared. When, for exam- 
ple, the present invention is applied to tC cards, since 

36 these masks can be fixed at least for each card, ci artd 
S can be written in the ROM. This is important especialty 
for IC cards whose storage capacities are severely con- 
strained. In general, when the same nunrtber of bits are 
to be stored, the area of a ROM is smaller than that of 

40 a RAM or EEPROM.V\men a 1,538-bit nrtask is stored 
in a ROM. the use efficiency of an LSI chip area be- 
comes higher than when the mask is stored h a RAM 
or EEPROM. 

[0084] RG. 16 shows a key schedule of the DES. 

46 [D0&5] FHef erring to FIG. 16, reference symbols (PC - 
1)111 and (PC - 2) 1 1 3 denote f unct'wr^s each constitut- 
ed by a combination of bit selectkyi and a permutation: 
and ROT 112. cycb'c shift operation. (PC - 1) 111 dis- 
cards eight bits of an externally input 64-bit key K 115 

so and transfers two 28-bit sequences to the cyclic shift 
112. The cycrtcaOy shifted data cor^sisting of a total of 
56 bits is input to (PC-2)113tooutputa48-bitexterKied 
key. Referring to FIG. 16. only the exterKled key corre- 
spoTKjing to one round is output However, extended 

65 keys corresponding to the 2nd. 3rd. .... 1 6th rounds are 
generated by repeating the cyclic shift and PC - 2. 
[0086] FIG. 17 shows the flow of processing in a case 
wherein the preset tnventkx) is applied to the key 
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scheduler. 

[OOBl] On the key input round of the key scheduler, 
KcandKc are randomty selected by a switch SW31 with 
a probability of almost 1/2 and input to a key scheduler 
122. The subsequent processing in the key scheduler 
is the same as key schedule processing in the genera) 
DES. An extended key 123 to be output is Kci when the 
input key is Kc, and Kci when the input key is Kci, 
[0088] FIG. 18 shows how an extended key influ- 
errced by a mask is applied to a message in each round 
fum^ion. 

[0089] A method of applying Kci or Ka to a message 
is genemlty the same as the method <^ applying Ki to a 
message. An exclusive OB 132 applies the extended 
key Kci or Kci to the 48 bits output from an expansksn 
E 131 in units of bits by exclusive OR operatkXL Since 
the resultant data is Influenced by the mask c or c» if this 
data is input to an S-box without any change, correct 
encryption cannot be performed. For this reason, the in* 
fluence of the mask c or c on the data must be renxyved 
before it is input to the S-box. More specifically, if the 
influence of the mask is represented by ci. d is applied 
to the data by an exclusive OR 133 before the data is 
input to an S-box 134. Since inversion of an exclusive 
OR is an exclusive OR, the influence of ci can be re- 
moved. This applies to a case wherein the influence of 
the masks is represented by ci . 
[0090] In this embodiment, if the mask c is selected 
as bit translation of the mask c. the respective bits of the 
extended key unifomily take the values M* and "C. This 
can prevent leakage of informaton at)out the key 
against vartous types of observation from outskje the 
encryptkxi apparatus. To minimize leakage of informa- 
tion, ci and ci preferably have similar Hamming weights. 
Note, however, that d is obtained by processffig c 
through a key schedule. It is therefore difficult to corrv- 
pletely control the Hammbig weights of d on all the 
rounds. Under the circumstances, a method of selecting 
a mask hav«ng a Hamming wei^t corresponding to 1/2 
the bit size as the original mask c may be used. 
[0091] FIG. 19 is a flow chart showing the flow of 
processing in an enciyption method according to an em- 
bodiment, which tndudes the step of masking bits d&> 
pendent on a plaintext with selected mask patterns and 
the step of renxjving the influence of the masks de- 
scnbed above from the ciphertext before rt Is output 
[0092] When plaintext data is input (step U1 ). at least 
one l-th mask pair is selected (step U2). With this oper- 
ation, mask patterns ai (step U3) or inverted mask pat- 
terns a of the mask patterns ai are selected. The data 
is masked with the selected masks (step 115). It is 
checked whether the next mask pair is selected (step 
U6). If the selectkxi of the next masks are required, the 
processing is repeated from the step of selecting the 
new i-th mask pair (step U2). if the setactnn of the re- 
quired mask pair is complete, an encryption process of 
the data is performed (step U7). 
[0093] Since the intermediate output data obtained by 



the encryption process (step U7) has been masked with 
the mask patterns, the i-th mask pair is determined first 
(step US) to determine whether the mask patterns ai 
were used (step U9) or the inverted mask patterns a 

5 were used (step U10). The masks appGed to the data 
are removed (step U11). It ts then checked whether 
mask removal is complete (step U12). If masks are left, 
the processing is repeated from the step of determining 
the new mask pair (step 6). If rr^k removal is complst- 

10 ed by the above steps, the ciphertext is output (step 
U13). 

[0094] FIG. 20 is a flow chart showbig the flow of 
processing in an encryption method according to an em- 
bodiment, which btcludes the step of renKsving the influ- 
IS ence of masks from input data to a data translation and 
the step of masking the output data from the data trans- 
lation with mask pattems. 

[0095] When data is input to the data translation (step 
VI ), an l-th mask pair is checked (step V2) to determine 
20 whether mask pattems ai were used (step V3) or invert- 
ed mask pattems a of the mask pattems ai were used 
(step V4). The masks applied to the data are removed 
(stepVS). 

[0096] It is checked whether mask removal is com- 

2S piete (step V6). If masks are left, the processing is re- 
peated from the step of checking a new nrtask pair (step 
V2). If mask removal is completed by the above steps, 
datatranstatkxi is performed (step V7). 
[0097] For the output data upon the above data trans- 

3a tatk3n (step V7). at least one i-th mask pair is selected 
(step Vd). and the mask pattems ai (step V9) or mask 
patterrts a (step VIC) are selected. The data is masked 
with the selected masks (step VII), It is then checked 
whether the next mask pair is selected (step VI 2). If se- 

3S tect ton of a mask pair that demands selection of the next 
mask and masking are complete, the data is output from 
the data translation (step VI 3). 
[0098] FIG. 21 is a flow chart showing the flow of 
processing in an ertcryptkxi method according to an em- 

40 bodtment. which includes the step of removing the Influ- . 
ence of nr^sks from intermediate t>ft data during an en- 
cryptkm procedure and the step of maskingthe data with 
mask pattems. 

[0099] When ciphertext intermediate value as inter* 
45 mediate encryptkxi bit data is input (step W1). an i-th 
mask pair is checked (step W2) to determine whether 
mask pattems ai were used (step W3) or inverted mask 
pattems a of the mask pattems ai were used (step W4). 
The masks applied to the data are removed (step W5). 
so [0100] It is then checked whether mask removal is 
' complete (step W6). If masks are left, the processing is 
repeated from tho step of checking a new mask pair 
(step W2). When mask removal is completed by the 
above steps, an er>cryptky) process is performed by an 
SB expansbn E round function (step W7). 

[01 01] For the o^put data from the encryptnn round 
function (step 7W), at least one i-th mask pair is selected 
to select the nr^k pattems ai (step W9) or the invened 
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mask patterns a (step W10). The data is masked with 
the selected mask pair (step W11). It ts further checked 
whether the next mask pair is selected (step W12). If 
selection ol a mask pair that demarrds selection ol the 
next mask and masking are complete, the ciphertext in- s 
termediate value is output (step W13). 
[01Q2] FIG. 22 is a flow chart associated with an en- 
cryptkxi procedure according to an embodiment of the 
present inventbn. When a plaintext is input (step XI), 
mask patterns for masking the plaintext is selected (step to 
X2). Bits dependent on the plaintext are masked with 
the selected mask patterns (step X3). 
[01 03] For an intermediate value of the encryption da- 
ta having undergone the above masking process (step 
X4). mask patterns for masking the input data of a round is 
fund ton is selected (step X5). The masks are removed 
from the input data of the round function (step X6). Mask 
patterns for masking an input to the data translation are 
selected (step X7). The masks are removed from the 
input data to the data translation (step X8). The data so 
translatkm then converts the input data (step X9). 
[01 04] Mask patterns for masking the output from the 
data translation (step Xg) are selected (step XI 0), and 
the output data from the data trartstation is masked with 
the mask patterns (step XII). Mask pattems for mask- 25 
Ing the output data of the round f unctk>n are selected 
(step X12). and the output data of the round function is 
masked with the mask pattems (step XI 3). 
[0105] It is checked whether the above procedure is 
complete up to the nth round (step XI 4). If the process- so 
ing ts not complete, the processffig is repeated from step 
X4, If the processing is complete up to the nth round, 
mask pattems that mask the ciphertext are selected 
(step XI 5), and the masks are removed from the bits 
dependent on the ciphertext (step XI 6). The finally ob- ^5 
tained ciphertext is output (step XI 7). 2. 
[0106] As the processing in steps X2. X3. X15, and 
X16,theprocessingdescribedwlh reference toFia 19 
is performed. As the processing in steps X5, X6» XI 2, 
and XI 3, the processing described with reference to 40 
FIG. 20 is performed. As the processing from step S7 
to step X11. mask detenminatton processing, mask ro- 
moval, and concealment processing using masks are 
performed ffi one process by using tables cateutated in 
advance and the like to prevent leakage of intenmed'ate ^ 
data m process. 

[0107] FIG. 23 is a bkx;k diagram shearing the ar- 
rangement of an IC card that implements the encryption/ 
decryptnn apparatus, encryptkNi/decryptkin method, 
artd program storage medium therefor according to the so 
present inventkyi described above. As shown in FIG. 
23, an IC card 201 includes a CPU 203. RAM 205. ROM 
207, EEPROM 209, and contactor 211. The RAM 205 
is used to store vartous data and as a work area or the 
like. The ROM 207 is used to store varbus data, pro- 
grams, and the like. The EEPROM 209 is used to store 
the programs indicated by the flow charts of RGS. 19 
to 22 and the like. The contactor 211 obtains electrtcal 



contact with an IC card reader/writer (not shown). Note 
that the programs shown in FIGS. 19 to 22 may be 
stored in the RAM 205 or ROM 207 instead of the EEP- 
ROM 209. 

[01 oq In the above embodiment, the application of 
the present invention to the OES scheme has t>een de- 
scribed in detail. However, the present invention is not 
timited to this and can be applied to general encr^tion 
schemes comprised of part or all of the folbwing three 
types of functions, namely dyadb operation like exclu- 
sive OR operation, a permutation equivalent to bit inter- 
change, and cipher system equivalent an S4x>x. 



Clabne 

1. An encryptk>n apparatus for converting a plaintext 
bkx:k into a c^hertext block depending on supplied 
key information, characterized by comprising: 

means (SW1 , SW2) for randomly selecting one 
pattern of each of pairs ai.ai (where j is a pos- 
itive integer not less than one) of one or a plu- 
rality d predetermined mask pattems and 
mask pattems obtained by bit k^verson of the 
predetermined mask patterns every time en- 
cryptkx) Is performed; 

means (43a. 44a, 42a) for masking bits de- 
pendent on a plaintext within sakS apparatus 
with the mask pattems selected by said selec- 
tion means; and 

means (42b. 43b, 44b) for removing an influ- 
ence of the mask a from a ciphertext before the 
ctpheriext is output 

An encryptk>n apparatus for converting a plaintext 
bk)ck into a c^enext bkx:k depending on supplied 
key information, characterized by comprising: 

means (SW1 . SW2) for randomly selecting one 
pattem of each of pairs ai.ii (where i is a pos- 
itive integer not less than one) of one or a plu- 
rality of predetermined mask pattems and 
mask pattems obtained by bit tnverskxi of the 
predetermined mask pattems every time en- 
cryptkxi is performed; 

means (33a, 33b) for masking intermediate bit 
data within sakj apparatus with the mask pat- 
tems selected by said setectkxi nteans; and 
means {32a. 33b) for rerrtoving an influence of 
the mask a from the intermediate bit data 
masked by said masking means. 

9. An encryptton apparatus for converting a plaintext 
ss bkxk into a ciphertext bkx:k depending on supplied 
key informatfon. characterized by comprising: 

data transtatkm mearxs (17. 35) for performDig 
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data translation to intermediate data within said 
apparatus; 

means (SW13. SW2d) lor randomly selecting 
one pattern of each of pairs ai. S (where] ts a 
positive Integer not less than one) of one or a 
plurality of predetermined mask pattems and 
mask pattems obtained by bit inversion of the 
predetermined mask pattems every time en- 
cryption is performed; 

means (33a, 33b) for masking an input to said 
data translation means with the mask pattems 
selected by said selection means; and 
means (24, 25) for removing an influence of the 
mask a from an output from said data transla- 
tion means whk^h is masked by said masking 
means. 

4. An apparatus according to claim 1 , characterized in 
that said means (43a, 44a. 42a) for masking the bits 
dependent on the plaintext within said apparatus 
with the selected nrtask pattems and said mear^ 
(42b, 43b, 44b) for removing the influence of the 
mask a from the ciphertext comprise 0(\e of an ex- 
clusive OR, addition or subtractkxi with respect to 
a modulus w, and muttiplication or division with re- 
spe<^ to the nrKxfulus w. 

5. An apparatus according to claim 2. characterized in 
that said means (33a, 33b) for masking the tntenme- 
diate bit data within eakl apparatus with the selected 
mask pattems and said means (32a, 33b) for re- 
moving the influence of the mask a from the masked 
intermediate bit data comprise one of an exclusive 
OR, 3dditk)n or subtractton with respect to a mod- 
ulus w, and multipPcation or division with respect to 
the nrKXlulus w. 

6. An apparatus according to claim 3, characterized in 
that sakj data translatkxi means (17. 35), said 
means (33a, 33b) for masking the input to saki data 
translatkyi means (17. 35) with the selected mask 
pattems, and said nr^eans (24, 25) for removing the 
influence of the mask a from the masked output 
from saki data translation nrteans (17, 35) comprise 
one of an exclusive OR, additkxi or subtractksn with 
respect to a modulus w, and muttiplicatton or divi- 
sion with respect to the modulus w. 

7. An apparatus according to claim 3, characterized 
by further comprising: 

first storage means (34d) for storing, in the form 
<^ a table, said means (SW13. SW23) for ran- 
domly selecting one pattern d each of the pairs 
ai, ai (where] is a positive integer not less than 
one) of one or the plurality of predetermined 
mask pattems and the mask pattems obtained 
by bit inversion of the predetermined mask pat- 



tems every time encrypt bn is performed, sakj 
means (33a) for masking the input to said data 
transtatk)n means with the mask pattems ai, 
and sakl means (24, 25) for removing the influ- 

5 ence of the masks ai from the masked output 

from said data trar^slation means; 
second storage means (34b) for storing, in the 
form of a table. sakJ means (33b) for masking 
the input to saki data translation means with 

10 wBBk pattems a , and said moans (24, 25) for 

removing an bifluence of the masks a from the 
masked output from saki data translatkxi 
means; and 

masked data translation means (EEPROM, 
RAM. ROM) for randomly selecting one of said 
first and second storage means every time en- 
cryptk>n is performed, and performing the 
processing by saki data translatkx) means for 
masked data 

20 

8w An apparatus according to claim 1 , characterized in 
that the pair a,a of the mask pattems and the n^sk 
pattems obtained by bit inversbn conr^rises a pair 
a.i of predetermined fixed mask pattems and mask 
2S patterns obtained by bit inversion of the fixed mask 
pattems. 

9. An apparatus according to claim 1 . characterized in 
that the pair a,8 of the mask pattems and the mask 
^ patterns obtained by bit inversk>n are not necessar- 
ily concealed. 

i 0. An apparatus according to claim 1 . characterized in 
that a Hamming weight indicating the nunnber of bits 
35 "1 8' of an n-bit k)ng bit sequerN:e x is defined as H 
(x), ar^ the Hamming weight H(a) of the mask a 
satisfies 0 < H(a) < n. 

11 , An apparatus according to claim 1 , characterized in 
4a that a Hammirtg weight indk:ating the number of bits 

Ms* ctf an n-bit bng bit sequence x is defined as H 
(x), and an absolute value of a difference between 
the Hamming weight H(a) of the mask a and a Ham- 
ming weight H(i) of bit inversion a of the mask a is 
<5 less than n/2. 

12. A decryptkxi apparatus for converting a ciphertext 
bkxk into a plaintext bkx:k depending on supplied 
key inforrrwtion, characterized by comprising: 

50 

means (SW21, SW22) for randomly selecting 
one pattem of each of pairs ai.ai (where] is a 
positive integer rat less than one) of one or a 
plurality of predetermined mask pattems and 
ss mask pattems obtained by bit nverskxi of the 

predetermined mask pattems every time de- 
cryption is perfonmed; 

means (43a, 44a. 42a) for masking bits da- 
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pendent on a ciphertext within said apparatus 
with the mask patterns selected by said selec- 
tion means; and 

means (42b, 43b. 44b) tor remcving an influ- 
ence of the mask a from a plaintext before the 
plaintext is output. 

13. A decr^tton apparatus for converting a ciphertext 
block into a plaintext bk)ck deperKiing on supplied 
key informaton, characterized by comprising: 

means (SW1 . SW2) for randomly selecting one 
partem of each of pairs ai.ii (where J is a pos- 
itive integer not less than one) ol one or a plu- 
rality of predetermined mask patterns and 
mask patterns obtained by bit inverskxi of the 
predetermined mask patterns every time de- 
cryption is performed; 

mear^ (33a, 33b) for masking intermediate bit 
data within said apparatus with the mask pat- 
terns selected by said selection means; and 
means (32a« 33b) for removing an onfluence of 
the mask a from the intermediate bit data 
masked by said masking means. 

14* A decryptkxi apparatus for converting a ciphertext 
bkxk into a plaintext bkx;k depending on supplied 
key intomnatkx), characterized by comprising; 

data translation means (17, 35) for performing 
data transition to intermediate data within said 
apparatus; 

means (SW13. SW23) for randomly selecting 
one pattem of each of pairs ai, ii (where j is a 
positive integer not less than one) dl one or a 
plurality of predetermined mask pattems and 
mask pattems obtained by bit inverskxi of the 
predetermined mask pattems every time de- 
cryption is performed; 

means (33a, 33b) for masking an input to said 
data trar^ialion means with the mask patterns 
selected by sakj selection means; and 
means (24. 25) for removing an influence of the 
n^sk a from an output from said data transla- 
tion means which is masked by saki masking 
means. 

15. An apparatus accordong to claim 12. characterized 
in that said means (43a. 44a. 428) for maskhg the 
bits dependent on the plaintext within said appara- 
tus with the selected mask pattems and said means 
(24. 25) for removing the influence of the mask a 
from the ciphertext comprise one of an exclusive 
OR. additk)n or subtractton with respect to a rr\o(^ 
ulus w. and multiplicaton or division with respect to 
the modulus w. 

16. An apparatus according to claim 13. characterized 



tn that sakJ rrteans (33a, 33b) for masking the inter- 
mediate bit data within said apparatus with the se- 
lected mask pattems and said means (32a. 33b) for 
renfKJving the influence of the mask a from the 
s masked intemrtediate bit data comprise one of an 
exclusive OR, addition or subtractkxi with respect 
to a modulus w. and multiplication or division with 
respect to the modulus w. 

10 17. An apparatus according to claim 1 5, characterized 
in that saM data translation means (17. 35). sad 
means (33a. 33b) for masking the input to sakj data 
translation means (17. 35) with the selected mask 
pattems. and said means (24. 25) for renxiving the 
15 influence of the mask a from the masked output 
from said data translation means comprise one of 
an exclusive OR. addition or subtraction with re- 
spect to a modulus w. and multiplication or division 
with respect to the modulus w. 

20 

18. An af^atus according to claim 14, characterized 
by further comprising: 

first storage means (34a) for storing, in the form 
2S of a table, said means (SWI 3. SW23) for ran- 

domly selecting one pattem of each of the pairs 
ai,ai (where j is a positive integer not less than 
one) of one or the plurality of predetermined 
mask pattems and the mask pattems obtained 
^ by bit inverskxi of the predetermined mask pat- 

tems every tvne decryptk)n is performed, said 
means (33a, 3^) for nnaskhg the input to said 
data translatkx) means with the mask pattems 
ai. and means (24. 25) for removing the influ- 
3S ence of the masks ai from the masked output 

from saki data translation nrteans; 
second storage means (34b) for storing, in the 
form of a t^le, means (33b) for maskffig the 
input to saki data transtatnn means with mask 
40 pattems a . and moans (24. 25) for removing 

an influence of the masks a from the masked 
output from said data translation means; and 
masked data trar^lation means (EEPROM. 
RAM, ROM) for randomly selecting one of said 
45 first arKf second storage mear^ every time de- 

cryptkxt is performed, and performing the 
processing by sakj data translation means for 
masked data 

50 19. An apparatus according to claim 1 2, characterized 
in that the pair a.a the mask patterns and the 
mask pattems obtained by bit inverskxi comprises 
a pair a.a of predetemiined fixed mask pattems and 
mask pattems obtained by bit inversion of the fixed 

55 mask pattems. 

20. An apparatus according to claim 1 3, characterized 
in that the pair ai.ai d the mask pattems and the 
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mask patterns obtained by bit inversion are not nec- 
essarily concealed. 

21. An apparatus according to claim 12» characterized 
In that a Hammffig weight indicating the number of 
bits *1s' of an n-bft long bit sequence x is defined 
as H(x). and the Hamming weight H(a) of the mask 
a satisfies 0 < H(a) < n. 

22. An apparatus according to claim 12. characterized 
in that a Hammffig weigjit indkating the number of 
bits *1s* of an n-brt kmg bit sequence x is defined 
as H(x), and an absolute value of a difference be- 
tween the Hamming weight H(a) of the ma^ a and 
a Hamming weight H(a) of bit inverson a of the 
mask a is less than n/2. 

23. An encryption method of converting a plaintext 
bkxk into a ciphertext bkxk depending on supplied 
key information, characterized by comprising tho 
steps ot 

(U2, U3. U4) randomly selecting one pattem of 
each of pairs ai,ai (where j is a positive integer 
not less than one) of one or a plurality of pre- 
determined mask patterns and mask patterns 
obtained by bit inversion of the predetermined 
mask patterns every time encryption is per- 
fomned; 

(U5) masking bits dependent on a plaintext 
within the method with the selected mask pal- 
tems; and 

{U11 ) removing an influence of the mask a from 
a ciphertext before the ciphertext is output. 

24. An encryption method of converting a plaintext 
bkx:k into a ciphertext btock depending on supplied 
key information, characterized by comprising the 
steps ot 

{W2» W3. W4) randomly selecting one pattem 
of each of pairs ai.at (where] is a positive inte- 
ger not less than one) of one or a plurality of 
predetermined mask patterns and mask pat- 
terns obtained by bit inverskxi of the predeter- 
mined mask pattems every time encryptton is 
performed; 

(W5) masking intemr)ediate bit data within the 
method with the selected mask pattems; and 
(W1 1 ) removing an influence of the mask a from 
the masked intermediate bit data. 

25. An encryptkxi method of convertkig a plaintext 
block into a ciphertext bkxk depending on supplied 
key infonnalion, characterized by comprising the 
steps ot 

(V7) performing data translatwn to intermedi- 



ate data within the method; 
(V8. V9, V10) randomly selecting one pattem 
of each of pairs ai.ai (where i is a positive inte- 
ger not less than one) of one or a plurality of 
5 predetermined mask pattems and mask pat- 

tems obtained by bit inversion of the predeter- 
. mined mask pattems every time erK;ryptk>n is 
perfomrted; 

(VII) masking an input to the data translatk}n 
TO step with the selected mask pattems; and 

(V5) removing an influence of the mask a from 
a masked output from the data translation step! 

26. A method according to claim 23, characterized In 
that the step of masking the bits dependent on the 
plaintext within the method with the selected mask 
pattems and the step of renxiving the influence of 
the mask a from the ciphertext comprise one of an 
exclusive OR, addition or subtraction with respect 

20 to a modulus w. and multiplication or division with 
respect to the modulus w. 

27. A method according to claim 24, characterized in 
that the step of masking the Intermediate bit data 

2S within the method with the selected mask pattems 
and the step ot remov^gthe influence of the mask 
a from the masked intermediate bit data comprise 
one of an exclusive OR, addition or subtraction with 
respect to a modulus w« and muttiplicatkm or divt- 

30 skxi with respect to the modulus w. 

28. A method according to claim 25, characterized in 
that the data translation step, the step of masking 
the input to th e data translatkxi step with the select- 

3S ed m^k patterns, and the step of removing the in- 
fluence of the mask afrom the masked output from 
the data translation step comprise one of an exclu* 
sive OR. addition or subtraction with respect to a 
modulus w, and muttipficaton or division with re- 

40 sped to the modulus w. 

29. A method according to claim 25. characterized by 
further comprising the steps of: 

45 storing, in the form of a table, the step of ran- 

domly selecting one pattem of each erf the pairs 
ai,ai (where j is a positive integer not less than 
one) of one'or the plurality of predetenntned 
mask pattems and the mask pattems obtained 

so by bit inverskxi of the predetermined mask pat- 

tems every time erusryption is performed, the 
step of nrtasking the input to saki data transla- 
tkxi step with the mask pattems ai, and the step 
of removing the influence of the masks ai from 

ss the masked output from the data translation 

step; 

storing, in the form of a table, the step of mask- 
ing the input to saki data translatnn step with 
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mask patterns a . and step of removing an in- 
fluence of the masks a from the masked output 
from the data transtaton step; and 
randomly selecting one of the first and second 
storage steps every time encryptk>n is per- 
fomied, and performing the processing in the 
data translation step for masked data. 

3a A method according to daim 23, c^racterized in 
mat the pair a,i of the mask patterns and the mask 
pattems obtained t>y bit inversion comprises a pair 
a,a of predetermined fixed mask pattems and mask 
pattems obtained by bit inversk3n of the fixed mask 
pattems. 

31. A method according to daim 23. characterized in 
that the pair a,i of the mask pattems and the mask 
pattems obtained t)y bit inverskm are not necessar- 
ily concealed. 

32. A method according to daim 23. characterized in 
that a Hamming weight indicating the number of bits 
Ms' of an n-bit long bit sequer>ce x is defined as H 
(X), and the Hamming weight H{a) of the mask a 
satisfies 0 < H(a) < n. 

33. A method according to daim 23. characterized in 
that a Hamming weight indicating the number of bits 
*1s* of an n-bit \ong bit sequence x is defined as H 
(x). £tftd an absolute value of a difference between 
the Hamming weight H(a) of the mask a and a Ham- 
ming weight H(i) of bit inversion a of the mask a is 
lesstf«nn/2. ■ 

34. A decryption method of converting a ciphertext 
block into a pla^ext bkx:k depending on supplied 
key information, characterized by comprising the 
steps of: 

(U2. U3. U4) randomly selecting one pattern of 
each of pairs ai.at (where j is a positive integer 
not less than one) of one or a plurality of pre- 
determined mask pattems and rmsk pattems 
obtained by b'rt inversion of the predetermined 
mask pattems every time decryption is per- 
formed; 

(US) masking bits dependent on a ciphenext 
within the method with the selected mask pat- 
tems; and 

(U11 ) removing an Influence of the mask a from 
a plaintext before the plaintext is output 

35. A decrypt k>n method of converting a c^ertext 
block into a plaintext block dependeig on supplied 
key information, charaderized by comprising the 
steps of: 

(W2. W3. W4) randomly selecting one pattern 



of each of pairs ai. ai (where] is a positive in- 
teger not less than one) of one or a plurality of 
predetemiined mask pattems and mask pat- 
tems obtained by bit inversion of the predeter- 
5 mined mask pattems every time decryption is 

performed; 

(W5) masking intermediate bit data within the 
method with the selected mask pattems; and 
(W1 1 ) removing an influence of the mask a from 
10 the masked intermediate bit data 

36. A decryption method of converting a ciphertext 
bkx:k into a plaintext block depertding on supplied 
key infomiation. characterized by comprising the 

IS steps of: 

(W) performing data translation to intermedi- 

ate data within the method; 

(VS. V9. VI 0) randomly selecting one pattem 

20 Of each of pairs ai Jii (where J is a positive inte- 

ger not less than one) of one or a plurality of 
predetermined mask patterns and mask pat- 
tems obtained t>y bit inversion of the predeter- 
mined mask pattems eve^ time decryption is 

2S perfonmed; 

(VII) masking an input to the data translatkxi 
step with the selected mask patterns; and 
(V5) removing an influence of the mask a from 
a masked output from the data translation step. 

30 

37. A method according to daim 34. characterized in 
that the step of masking the bits dependent on the 
dphertext within the method with the selected mask 
pattems and the step of removing the influence of 

35 the mask a from the plaintext comprise one of an 
exclusive OR. addition or subtraction with respect 
to a modulus w. and muttiprtcation or division with 
respect to the nrKxJuIus w. 

40 38. A method according to daim 35, characterized in 
that the ^ep of masking the intermediate bit data 
within the method with the seleded mask pattems 
and the step of reniovhg the influence of the mask 
a from the masked intermediate bit data comprise 

45 one of en exclusive OR. addtion or subtraction with 
respect to a modulus w. and multipRcatkyi or divi- 
Bkxx with respect to the modulus w. 

39. A method according to daim 36. characterized in 
so that the data transiatkxi step, the step of rr^king 
the input to the data translation step with the select- 
ed mask pattems. artd the step of removing the in- 
fluerwe of the mask a from the masked output from 
the data transiatkxi siep comprise one of an exclu- 
ss swe OR. additk)n or subtraction with respect to a 
modulus w. and muttipOcation or diviskxi with re- 
sped to the modulus w. 
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40. A method according to daim 36, characterized by 
further comprising the steps of: 

storing, in the form of a table, the step of ran- 
domly selecting one pattern of each of the pairs 
ai J3 (where j is a positive integer not less than 
one) of one or the plurality of predetermined 
mask patterns and the mask patterns obtained 
by bit inversion of the predetermined mask pat- 
terns every time decryptkx> is performed, the 
step of masking the input to said data transla- 
tnn step with the mask patterns ai. and the step 
of renrxivlng the influence of the masks ai from 
the niasked output from the data translation 
step; 

storing, in the form of a table, the step of mask- 
ing the input to said data translation step with 
mask patterns a , and step of removing an in- 
fluence of the masks a from the masked output 
from the data translatton step; and 
randomly selecting one oi the first and second 
storage steps every time decrypton is per- 
formed, and performing the processing in the 
data translation step for masked data 

41. A method according to claim 34, characterized in 
that the pair a.a of the mask patterns and the mask 
patterns obtained by bit inverston comprises a pair 
a,a of predetermined fixed mask patterns and mask 
patterns obtained by bit inversion of the fixed mask 
patterns. 

42. A method according to claim 34, characterized in 
that the pair a,a of ttie mask patterns and the nnask 
patterns obtained by bit inversion are not necessar- 
ily concealed. 

43. A method according to daim 34, characterized in 
that a Hamming weight indicating the number of brts 
•1 s" of an n-bit long bit sequence x is defined as H 
(X), and the Hamming weight H(a) of the mask a 
satisfies 0 < H(a) < h. 

44. A method according to daim 34, charaderized in 
that a Hamming weight indicaUng the number of bits 
■is' of an n-bit long bit sequence x is defined as H 
(x), and an absolute value of a difference between 
the Hammhg weight H(a) of the mask a and a Hanrv 
mmg weight H(a) of bit inversion i of the mask a is 
less than n/2. 

45. A computer-usable program storage medium (205, 
207, 209) storing computer-readable program code 
means for converting a plaintext block into a cipher- 
text block depending on supplied key information, 
characterized by comprising: 

computer-reac^le program coda means (U2, 
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U3, U4) for causing a computer to randomly se- 
lect one pattern of each of pairs ai,3 (where j 
is a positive integer not less than one) of one 
or a plurality of predetermined nr»ask patterns 
and mask patterns obtained by bit inversion of 
the predetermined mask patterns every time 
encryption is performed; 
computer-readable program code means (U5) 
for causing said computer to mask bits depend- 
ent on a plaintext within the method with the se- 
lected mask patterns; and 
computer-readable program code means (U11 ) 
for causing sad computer to renrove an influ- 
ence of the mask a from a ciphertext before the 
dphertext is output 

46. An encryption apparatus for converting a plaintext 
bkx^k into a ciphertext block dapendbg on supplied 
key infom\ation, characterized by comprising: 

means (SW31) for randomly selecting one pat- 
tern of each of pairs ai,aj (where j is a positive 
integer not less than one) of one or a plurality 
of predetermined mask patterns and mask pat- 
terns obtained tyy bit inversion of the predeter- 
mined mask patterns every time encryptkx) is 
performed; 

means (122) for nnasking bits dependent on a 
key wrthin said apparatus with ^e mask pat- 
terns selected by said selection means; 
data translation means (132) for converting in- 
termediate data within sakj apparatus with the 
key; and 

means (133) for removing an influence of the 
mask a from an output from said data transla- 
tion means. 



47. An apparatus according to claim 46, characterized 
in that the pair a.a of the mask patterns and the 
40 mask patterns obtained by bit inverskxi comprises 
a pair a,a of predetermined fbced mask patterns and 
mask patterns obtained by bit inversbn of the fixed 
mask patterns. 

45 4a An apparatus according to claim 46, characterized 
&i that the pair a.a of the mask patterns and the 
mask patterns obtained by bit inversion are not nec- 
essarily concealed. 

so 49. An apparatus according to claim 46, characterized 
in that a Hamming weight irxlicatirig the number of 
bits Ms* of an n-bit tong bit sequ^e x is defined 
as H(x), and the Hamming weight H(a) of the mask 
a satisfies 0<H(a)< a 

55 

50. An apparatus according to clakn 46. characterized 
in that a Harrtming weight indk:ating the number of 
brts *1s* of an n-bit kxig bit sequence x is defined 
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as H(x), and an absoluto value of a difference be- 
tween the Hamming weight H(a) of the mask a and 
a Hamming weight H(a) ol bit inversion a of the 
mask a is lass than n/2. 
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